EUVD-2026-14945CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
3Description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection was added to the test* notification endpoints but not to the corresponding save* endpoints. An authenticated user can save an internal/private IP address as a notification URL, and when the cron job sendnotifications.php executes, the request is sent to the internal IP without any SSRF validation. This issue has been patched in version 4.7.0.
Analysis
An incomplete Server-Side Request Forgery (SSRF) mitigation in Wallos, a self-hostable subscription tracker, allows authenticated attackers to bypass security controls and force the application to make requests to internal or private IP addresses. Wallos versions prior to 4.7.0 are affected. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Wallos deployments and confirm versions; restrict network access from Wallos servers to internal IP ranges using firewall rules. Within 7 days: Disable or restrict notification endpoint functionality if not critical to operations; implement network segmentation to isolate Wallos from sensitive systems; audit user access logs for suspicious activity. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today